March 2002 Reader Challenge

Congratulations to Rachel Klein of San Francisco, who wins first prize, a copy of "Admin911: Windows 2000 Registry." Second prize, a copy of "Admin911: Windows 2000 Terminal Services" by Larry J. Seltzer, goes to Roger Stout of Seattle.

The Problem Betty and Bob are the IT directors for MansionsOnly Real Estate, which has a 50-seat LAN, running Windows XP Professional and Windows 2000 Professional workstations that log on to a Win2K domain. Ten of the Win2K Pro workstations are reserved for the 35 sales agents who work for the company. Agents spend most of their time in the field, garnering listings and showing houses, so all 35 agents are never in the office at the same time. Each agent shares an assigned computer with at least one other agent.

To access the company's database, the agents log on to the domain. For word processing, maintaining private client lists, and other clerical tasks, the agents log on to the local computer (local logon is faster), where each agent has a documents folder. The agents have computer skills ranging from none to "knows enough to be dangerous."

Every time one of the "knows-enough-to-be-dangerous" users fools around with the local computer's settings, Betty and Bob hear complaints from the other users who share that computer. Betty and Bob made sure each computer's local users were in appropriate local groups, but complaints continue.

Finally, Bob told Betty he was going to stop the complaints by using local policies to apply user settings to each computer. "Groups are security oriented, not policy oriented, so I'm going to set local policies. Then, people who know what they're doing can make some changes, but the changes won't affect the other users," he explained.

"I don't think you can do that," said Betty.

"Easy as a couple of mouse clicks," returned Bob.

The next day Bob reported his results to Betty. "OK, solving the user settings problem didn't take just a couple of mouse clicks," he said. What problem did Bob encounter, and what did he have to do?

The Solution Local policies didn’t work because all the agents were using Win2K Pro computers. You can’t set individual local user policies in Win2K (but you can in XP). The best workaround involves more than a couple of mouse clicks. You need to load and use Windows NT’s Policy Editor, which lets you configure user settings for a computer. Sometimes, the expression "oldies but goodies" turns out to be a practical and valuable idea.